b"NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n              INDEPENDENT EVALUATION OF THE\n          NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n         COMPLIANCE WITH THE FEDERAL INFORMATION\n           SECURITY MANAGEMENT ACT (FISMA) 2010\n\n                         Report # OIG-10-18\n                         November 15, 2010\n\n\n\n\n                         William A. DeSarno\n                         Inspector General\n\n\n    Released by:                      Auditor-in-Charge:\n\n\n\n\n    James Hagen                       W. Marvin Stith, CISA\n  Deputy IG for Audits                Sr. Information Technology Auditor\n\x0c   REPORT # OIG-10-18 INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n   COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n                                          Contents\n\nSection                                                                             Page\n\n   I      EXECUTIVE SUMMARY                                                                  1\n\n  II      BACKGROUND                                                                         3\n\n  III     OBJECTIVE                                                                          4\n\n  IV      METHODOLOGY AND SCOPE                                                              4\n\n  V       RESULTS IN DETAIL                                                                  5\n\n                1.    NCUA needs to improve its security configuration                       5\n                      program.\n\n                2.    NCUA needs to perform a security control assessment                    7\n                      for its General Support System.\n\n                3.    NCUA needs to complete an overall Business Impact                      8\n                      Analysis of its FISMA systems.\n\n                4.    NCUA needs to improve its contingency planning                         9\n                      program for its FISMA systems.\n\n                5.    NCUA needs to improve its oversight of external service                10\n                      providers.\n\n                6.    NCUA needs to improve its remote access controls.                      11\n\n                7.    NCUA needs to improve its Plans of Action and                          13\n                      Milestones process.\n\n                8.    NCUA needs to enhance its procedures for ensuring                      14\n                      terminated users and inactive user accounts are\n                      disabled or removed from NCUA systems.\n\n                9.    NCUA needs to update the Service Level Agreement                       15\n                      for its Intrusion Detection System.\n\n                10.   NCUA needs to review its use of Personally Identifiable                17\n                      Information and Social Security Numbers.\n\n                11.   NCUA needs to implement continuing education                           18\n                      requirements for its information technology employees.\n\n                                              i\n\x0cREPORT # OIG-10-18 INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n                              I. EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Richard S. Carson and Associates, Inc (Carson Associates), to\nindependently evaluate its information systems and security program and controls for\ncompliance with the Federal Information Security Management Act (FISMA), Title III of\nthe E-Government Act of 2002.\n\nCarson Associates evaluated NCUA\xe2\x80\x9fs security program through interviews,\ndocumentation reviews, technical configuration reviews, and sample testing. We\nevaluated NCUA against standards and requirements for federal government agencies\nsuch as those provided through FISMA, the Government Accountability Office\xe2\x80\x9fs Federal\nInformation System Controls Audit Manual (FISCAM), National Institute of Standards\nand Technology (NIST) Special Publications (SPs), and Office of Management and\nBudget (OMB) memoranda. We conducted an exit conference with NCUA on\nNovember 8, 2010 to discuss evaluation results.\n\nThe NCUA has worked to further strengthen its information technology (IT) security\nprogram during Fiscal Year (FY) 2010. NCUA\xe2\x80\x9fs accomplishments during this period\ninclude:\n\n   \xef\x82\xb7   Enhanced change control management system, adding security impact analysis\n       for its IT systems.\n   \xef\x82\xb7   Use of an SCAP-validated scanner to verify its workstation configurations.\n   \xef\x82\xb7   Enhanced policies and procedures.\n   \xef\x82\xb7   Completed e-Authentication risk assessments for its two e-Authentication\n       systems.\n   \xef\x82\xb7   Completed security control assessments for five of its six FISMA systems.\n   \xef\x82\xb7   Signed Authorizations To Operate for all six Certification and Accreditation\n       packages.\n   \xef\x82\xb7   Improved Plan of Action and Milestones process.\n   \xef\x82\xb7   Updated Privacy Policy on NCUA.gov to describe use of third-party Web sites\n       and applications.\n\nWe identified five areas remaining from last year\xe2\x80\x9fs FISMA evaluation that NCUA officials\nneed to address:\n\n   \xef\x82\xb7   Improve its security configuration program.\n   \xef\x82\xb7   Improve its contingency planning program for its FISMA systems.\n   \xef\x82\xb7   Enhance its procedures for ensuring terminated users and inactive user accounts\n       are removed from its systems.\n   \xef\x82\xb7   Update the Service Level Agreement for its Intrusion Detection System.\n   \xef\x82\xb7   Implement continuing education requirements for its information technology\n       employees.\n\n\n\n\n                                           1\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\nIn addition, we identified six new findings this year where NCUA could improve IT\nsecurity controls. Specifically, NCUA needs to:\n\n   \xef\x82\xb7   Perform a security control assessment for its General Support System.\n   \xef\x82\xb7   Complete an overall Business Impact Assessment of its FISMA systems.\n   \xef\x82\xb7   Improve its oversight of external service providers.\n   \xef\x82\xb7   Improve its remote access controls.\n   \xef\x82\xb7   Improve its Plan of Action and Milestone process.\n   \xef\x82\xb7   Review its use of Personally Identifiable Information and Social Security\n       Numbers.\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n\n\n\n                                           2\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n                                   II. BACKGROUND\n\nThis section provides background information on FISMA and NCUA.\n\nFederal Information Security Management Act\n\nThe President signed into law the E-Government Act (Public Law 107-347), which\nincludes Title III, Information Security, on December 17, 2002. The Federal Information\nSecurity Management Act (FISMA) permanently reauthorized the framework laid out in\nthe Government Information Security Reform Act of 2000 (GISRA), which expired in\nNovember 2002. FISMA continues the annual review and reporting requirements\nintroduced in GISRA. In addition, it includes new provisions aimed at further\nstrengthening the security of the federal government\xe2\x80\x9fs information and information\nsystems, such as development of minimum standards for agency systems. In general,\nFISMA:\n\n   \xef\x82\xb7   Lays out a framework for annual information technology security reviews,\n       reporting, and remediation plans.\n   \xef\x82\xb7   Codifies existing OMB security policies, including those specified in Circular\n       A-130, Management of Federal Information Resources, and Appendix III.\n   \xef\x82\xb7   Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n       Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n   \xef\x82\xb7   Tasks NIST with defining required security standards and controls for federal\n       information systems.\n\nOMB issued the 2010 Reporting Instructions for the Federal Information Security\nManagement Act on April 21, 2010. This document provides clarification to agencies for\nimplementing, meeting, and reporting FISMA requirements to OMB and Congress.\n\nNational Credit Union Administration (NCUA)\n\nNCUA is the independent federal agency that charters, supervises, and insures the\nnation\xe2\x80\x9fs federal credit unions. NCUA insures many state-chartered credit unions as\nwell. NCUA is funded by the credit unions it supervises and insures. NCUA's mission is\nto foster the safety and soundness of federally-insured credit unions and to better\nenable the credit union community to extend credit for productive and provident\npurposes to all Americans, particularly those of modest means.\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does\nthis by establishing a regulatory environment that encourages innovation, flexibility, and\na continued focus on attracting new members and improving service to existing\nmembers.\n\nNCUA has a full-time three-member Board of Directors (Board) appointed by the\nPresident of the United States and confirmed by the Senate. The Board consists of a\n\n\n                                            3\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\nchairman and 2 board members. No more than two board members can be from the\nsame political party, and each member serves a staggered six-year term. NCUA\xe2\x80\x9fs\nBoard regularly meets in open session each month, with the exception of August, in\nAlexandria, Virginia. In addition to its central office in Alexandria, NCUA has five\nregional offices and the Asset Management and Assistance Center (AMAC).\n\n                                    III. OBJECTIVE\n\nThe audit objective was to assist the OIG in performing an independent evaluation of\nNCUA information security policies and procedures for compliance with FISMA and\nfederal regulations and standards. We evaluated NCUA\xe2\x80\x9fs efforts related to:\n\n   \xef\x82\xb7   Efficiently and effectively managing its information security program;\n   \xef\x82\xb7   Meeting responsibilities under FISMA;\n   \xef\x82\xb7   Remediating prior audit weaknesses pertaining to FISMA and other security\n       weaknesses identified; and\n   \xef\x82\xb7   Implementing its Plans of Action and Milestones (POA&M)\n\nIn addition, the audit was required to provide sufficient supporting evidence of NCUA\xe2\x80\x9fs\nsecurity program evaluation to enable the OIG to report to OMB.\n\n\n                          IV. METHODOLOGY AND SCOPE\n\nWe evaluated NCUA\xe2\x80\x9fs information technology (IT) security program and practices\nagainst such standards and requirements as those provided through FISMA, the\nGovernment Accountability Office\xe2\x80\x9fs FISCAM, NIST SPs, and OMB memoranda.\n\nWe review IT security control techniques for all of NCUA\xe2\x80\x9fs major information systems on\na rotational basis. During this evaluation, we assessed NCUA\xe2\x80\x9fs controls over the\nPOA&M process, privacy and security awareness training, remote access, identity\nmanagement program, continuous monitoring, and incident response. In addition, we\nevaluated areas required to report under OMB M-10-15, such as reviews of privacy and\nbreach notification, certification and accreditation (C&A) documentation including\nsystem security plans, risk assessments, contingency plans, and certification reports.\nFurthermore, we reviewed existing IT security controls and identified weaknesses\nimpacting certain General Support System (GSS) components, application security (to\ninclude change controls and configuration management), and service continuity.\n\nWe conducted our fieldwork from August 2010 through November 2010. We performed\nour audit in accordance with generally accepted government auditing standards\n(GAGAS), audit standards promulgated by the American Institute of Certified Public\nAccountants (AICPA), and information systems standards issued by the Information\nSystems Audit & Control Association (ISACA).\n\n\n\n\n                                           4\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n                                         V. RESULTS IN DETAIL\n\nSecurity program planning and management controls are designed to provide the\nframework and continuing cycle of activity for managing risk, developing security\npolicies, assigning responsibilities, and monitoring the adequacy of an entity's\ncomputer-related controls. NCUA has made progress in addressing last year\xe2\x80\x9fs reported\ndeficiencies; however, some prior year deficiencies remain. In addition, we identified\nother areas for improvement that require management's attention. We discuss these\nissues below.\n\n\n1. NCUA needs to improve its security configuration program.\n\nNCUA has established a configuration guide for its workstation and server operating\nsystems. NCUA verifies FDCC security configurations for its workstations using FDCC\nscanner capabilities and has documented its compliance with/variances from NIST\nbaseline security configurations for its workstations. However, NCUA has not\nimplemented the NIST-approved security configurations for its servers and network\ndevices. In addition, NCUA has not implemented a procedure and tool to verify its\nserver and network device configurations against the NIST baseline security\nconfigurations.\n\nThe server and network device finding remains from the FY 2009 FISMA review.\n\nFISMA requires each agency to determine minimally acceptable system configuration\nrequirements and ensure compliance with them.1 OMB Memorandum M-08-22\nrequires:\n\n    \xef\x82\xb7    Industry and government information technology providers to use Security\n         Content Automation Protocol (SCAP)2 validated tools with FDCC scanner\n         capability to certify that their products operate correctly with FDCC configurations\n         and do not alter FDCC settings.\n\n    \xef\x82\xb7    Agencies to use SCAP tools to scan for both FDCC configurations and\n         configuration deviations approved by department or agency accrediting authority.\n\n    \xef\x82\xb7    Agencies to use SCAP tools when monitoring the use of these configurations as\n         part of FISMA continuous monitoring.\n\nNIST has made available through the National Checklist Program (NCP)3 security\nconfiguration checklists4 for operating systems and applications that are widely used\n\n1\n  Section 3544(b)(2)(D)(iii)).\n2\n  SCAP enables validated security tools to perform automatic configuration checking using National Checklist\nProgram (NCP) checklists within this category.\n3\n  The National Checklist Program is the U.S. government repository of publicly available security checklists (or\nbenchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and\napplications.\n\n\n                                                         5\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\nwithin the Federal Government. NIST encourages agencies to implement the\napplicable checklists into their environment and document any deviations from the\ncommon security configurations with justifications.\n\nNCUA has not implemented the applicable NIST security checklists provided under the\nNCP to configure its servers and network devices. Concerning the servers, NCUA uses\nthe Microsoft Baseline Security Analyzer (MBSA) to provide a baseline security\nconfiguration and verify the configurations of its servers. However, MBSA relies solely\non Microsoft\xe2\x80\x9fs recommended security settings and is not an approved SCAP tool with\nAuthenticated Configuration Scanner Capabilities. In addition, NCUA manually\nconfigures its network devices and stores the baseline configurations locally. However,\nNCUA has not implemented a SCAP scanner with Authenticated Configuration Scanner\ncapabilities to ensure compliance of the network devices with the baseline\nconfigurations.\n\nIn response to the FY 2009 Independent FISMA Evaluation Report, NCUA management\nconcurred with this finding. However, management indicated they did not implement\nour recommendations by their stated goal of May 2010 due to IT staff resource\nconstraints and additional security priorities taking precedence.\n\nBy not adopting the NIST-approved server security configuration checklist, the NCUA is\nnot implementing federally accepted server security standards. In addition, by not using\nSCAP validated tools, NCUA cannot appropriately validate the implementation of the\nNational Checklist Program on its servers, and network devices (e.g., routers, switches,\nfirewalls etc).\n\n\nRecommendation 1: We recommend that NCUA take the following actions:\n\n    1) Implement a Security Content Automation Protocol (SCAP) validated vulnerability\n       scanner/appliance with Authenticated Configuration Scanner capabilities for\n       servers and network devices.\n\n    2) Implement and verify NIST baseline security configurations for servers and\n       network devices using the Authenticated Configuration Scanner capabilities and\n       document the deviations.\n\nAgency Response: NCUA agrees with the recommendations, but notes that this\nfinding has no impact on the actual security of NCUA systems. We are currently using\na scanning tool that executes the required scan, but does not present the information in\nthe SCAP format. We will review SCAP validated tools in order to determine if the extra\nfunctionality is cost justified.\n4\n  A security configuration checklist essentially contains instructions or procedures for configuring an IT product to a\nbaseline level of security. A checklist might include: (a) Configuration files that automatically set various security\nsettings; (b) Documentation that guides the checklist user to manually configure software; (c) Documents that explain\nthe recommended methods to securely install and configure a device; and (d) Policy documents that set forth\nguidelines for such things as auditing, authentication security, and perimeter security.\n\n\n                                                           6\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n\nOIG Response: The OIG re-emphasizes that NCUA\xe2\x80\x9fs use of non-SCAP validated tools\nresults in NCUA not meeting OMB requirements. More importantly, the use of SCAP\nvalidated tools in combination with the National Checklist Program would facilitate\nNCUA mapping its individual system security configuration settings to the high-level\nsecurity requirements as identified by NIST.\n\n\n2. NCUA needs to perform a security control assessment for its General Support\n   System.\n\nNCUA did not assess the management, operational, and technical security controls for\nits General Support System (GSS) in FY 2010.\n\nNIST SP 800-37 states that periodic testing and evaluation of the effectiveness of\ninformation security policies, procedures, practices, and security controls to be\nperformed with a frequency depending on risk, but no less than annually.\n\nNIST SP 800-53A, Revision 1, describes the process of assessing the security controls\nin organizational information systems including: (i) the activities carried out by\norganizations and assessors to prepare for security control assessments; (ii) the\ndevelopment of security assessment plans; (iii) the conduct of security control\nassessments and the analysis, documentation, and reporting of assessment results;\nand (iv) post-assessment report analysis and follow-on activities carried out by\norganizations.\n\nNCUA officials indicated they did not assess the GSS this year because they were\nunder the impression that the System Test and Evaluation from the FY 2009\nCertification &Accreditation (C&A) was still valid.\n\nSecurity threats and vulnerabilities to IT systems change continuously. By maintaining\ncomprehensive C&A packages for all systems including ongoing security control\nassessments, NCUA will be able to identify all of the security vulnerabilities associated\nwith operating their system. Consequently, NCUA management actions on this issue\nwill be able to help maintain the confidentiality, availability, and integrity of data in the\nGSS.\n\nRecommendation 2: Conduct a security control assessment for the GSS according to\nNIST guidance.\n\nAgency Response: NCUA agrees with the recommendations and has scheduled a\ntest of the GSS controls with KPMG that will be completed in the next FISMA calendar\ncycle.\n\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x9fs planned actions.\n\n\n\n                                              7\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n\n3. NCUA needs to complete an overall Business Impact Analysis of its FISMA\n   systems.\n\nNCUA has not completed an overall Business Impact Analysis of its systems that are\ncritical to supporting the organization\xe2\x80\x9fs mission/business functions.\n\nNIST 800-34, Revision 1, provides the following guidance:\n\nEffective contingency planning begins with the development of an organization\ncontingency planning policy and subjection of each information system to a Business\nImpact Analysis (BIA). This facilitates prioritization of systems and processes based on\nthe FIPS 199 impact level and develops priority recovery strategies for minimizing loss.\nFIPS 199 provides guidelines on determining information and information system impact\nto organizational operations and assets, individuals, other organizations, and the nation\nthrough a formula that examines three security objectives: confidentiality, integrity, and\navailability.\n\nPerforming a Business Impact Analysis includes determining business processes and\nrecovery criticality, identifying resource requirements, and identifying system resource\nrecovery priorities.\n\nThe BIA purpose is to correlate the system with the critical mission/business processes\nand services provided, and based on that information, characterize the consequences\nof a disruption. The Information System Contingency Plan (ISCP) Coordinator can use\nthe BIA results to determine contingency planning requirements and priorities.\n\nNCUA has not performed an overall Business Impact Assessment in accordance with\nNIST SP 800-34, Revision 1 guidance.\n\nBy not performing an overall Business Impact Assessment, it will be more difficult for\nNCUA to prioritize the systems and processes based on the FIPS 199 impact level and\nto develop priority recovery strategies for minimizing loss.\n\nRecommendation 3: We recommend that NCUA management complete its overall\nBusiness Impact Assessment on each of its systems.\n\n\nAgency Response: NCUA agrees with the recommendation.\n\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                            8\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n4. NCUA needs to improve its contingency planning program for its FISMA\n   systems.\n\nNCUA does not have policies and procedures for system owners for developing,\nmaintaining, and testing disaster recovery/contingency plans. In addition, NCUA has\nnot provided a contingency plan for the NCUA Accounting System (NAS). This issue is\na repeat finding from the FY 2008 and FY 2009 FISMA reviews.\n\nFurthermore, NCUA has not completed testing of its NCUA systems for FY 2010.\n\nNIST 800-53, Revision 3, guides provides the following guidance to organizations:\n\n   \xef\x82\xb7   Test and/or exercise the contingency plan for the information system using\n       organization-defined tests and/or exercises on an organization-defined frequency\n       to determine the plan\xe2\x80\x9fs effectiveness and the organization\xe2\x80\x9fs readiness to execute\n       the plan; and\n\n   \xef\x82\xb7   Review the contingency plan test/exercise results and initiate corrective actions.\n\nNCUA has not completed FY 2010 contingency plan testing on any of its six FISMA\nsystems. In addition, although NCUA officials indicated they have developed a\ncontingency plan for NAS, officials did not provide this plan for NAS. Furthermore, in\nresponse to our FY 2009 FISMA review, NCUA management agreed with our\nrecommendation to develop policies and procedures for system owners for developing,\nmaintaining and testing contingency plans. NCUA management indicated they would\nimplement the recommendation by May 1, 2010. However, as of the date of this review,\nNCUA management had not implemented the recommendation.\n\nNCUA management indicated there was an oversight in not establishing the policies\nand procedures as agreed. However, they did not indicate why they have not tested the\nFISMA systems this year. In addition, NCUA officials did not provide a formal\ncontingency plan for NAS.\n\nBy developing and routinely testing its IT system disaster recovery and contingency\nplans or including all key elements within a documented contingency plan, NCUA can\nhelp ensure its ability to continue to operate the information systems that support its\noperations and assets.\n\nRecommendation 4: We recommend that NCUA take the following actions:\n\n   1) Establish policies and procedures for developing, maintaining, and testing\n      disaster recovery and contingency plans, as well as test and update the plans on\n      an organization-defined frequency (to be determined).\n\n   2) Document and provide the formal contingency plan for the NCUA Accounting\n      System; and\n\n\n\n                                            9\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n\n   3) Test the NCUA contingency plans for each FISMA system according to NCUA-\n      defined frequency.\n\n\nAgency Response: NCUA agrees with the recommendation.\n\n\nOIG Response: The OIG concurs.\n\n\n5. NCUA needs to improve its oversight of external service providers.\n\nNCUA needs to improve its process for overseeing external service providers to include\ncontractors and government agencies.\n\nNIST SP 800-53 Revision 3 provides the following guidance:\n\n   \xef\x82\xb7   Requires that providers of external information system services comply with\n       organizational information security requirements and employ appropriate security\n       controls in accordance with applicable federal laws, Executive Orders, directives,\n       policies, regulations, standards, and guidance.\n\n   \xef\x82\xb7   Defines and documents government oversight and user roles and responsibilities\n       with regard to external information system services.\n\n   \xef\x82\xb7   Requires organizations to monitor security control compliance by external service\n       providers.\n\nWe determined NCUA does not have a documented methodology for performing\noversight and evaluation on contractor systems or systems hosted at other government\nagencies. Consequently, there was no methodology in place when NCUA implemented\nits new Financial Management System (Delphi) in FY 2010, operated externally by the\nDepartment of Transportation (DOT). We reviewed the NCUA/DOT Interagency\nAgreement for Delphi and determined it includes security language requiring\ncompliance with FISMA. However, NCUA does not have a copy of the Authority to\nOperate (ATO) or security Service Level Agreements (SLAs) with DOT. In addition,\nNCUA did not have the oversight compliance documentation agreed to as part of the\nInteragency Agreement. This documentation includes monthly security status reports\ndetailing DOT\xe2\x80\x9fs FISMA compliance, mitigation status trends and the overall security\nposture of the system.\n\nBy not appropriately monitoring security control compliance by external service\nproviders, the potential for security incidents increases which could put the overall\nconfidentiality, integrity, and availability of sensitive data shared between NCUA and\nexternal systems at risk.\n\n\n                                           10\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n\nRecommendation 5: We recommend that the NCUA take the following actions:\n\n   1) Define and document policies and procedures for an oversight methodology of\n      external information system services with contractors.\n\n   2) Monitor security control compliance by external service providers and maintain\n      the required inventory items.\n\n   3) Maintain agreements (i.e., security Service Level Agreements, Interconnection\n      Security Agreements, and contracts between NCUA and external service\n      providers.\n\nAgency Response: NCUA agrees with the recommendations. We will create agency\npolicy that will address these items as well as update the NCUA contracting manual in\norder to address security requirements with external providers.\n\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x9fs planned actions.\n\n\n6. NCUA needs to improve its remote access controls.\n\nAccording to the results of the NCUA\xe2\x80\x9fs E-Authentication Risk Assessments, the\nExaminer Support System (ESS) and the Online Data Collection System (ODCS)\nrequire Level 3 Multifactor Authentication. However, these applications only implement\none factor (a user name and password). In addition, NCUA only requires one-factor\nauthentication for remote access to its network.\n\nOMB M-07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information, requires that agencies allow remote access only with two-factor\nauthentication where one of the factors is provided by a device separate from the\ncomputer gaining access.\n\nNIST SP 800-63, P 11 states \xe2\x80\x9cAuthentication systems are often categorized by the\nnumber of factors that they incorporate. The three factors often considered as the\ncornerstone of authentication are:\n\n   \xef\x82\xb7   Something you know (for example, a password)\n\n   \xef\x82\xb7   Something you have (for example, an ID badge or a cryptographic key)\n\n   \xef\x82\xb7   Something you are (for example, a voice print or other biometric)\xe2\x80\x9d\n\nNIST SP 800-63, P 11, P 34 states \xe2\x80\x9cLevel 3 authentication is based on proof of\npossession of a cryptographic key using a cryptographic protocol. Level 3\n\n\n                                           11\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\nauthentication assurance requires cryptographic strength mechanisms that protect the\nprimary authentication token (a secret key or a private key) against compromise by the\nfollowing protocol threats defined in section 8.1.1: eavesdropper, replay, on-line\nguessing, verifier impersonation and man-in-the-middle attacks. Level 3 also requires\ntwo factor authentication; in addition to the key, the user must employ a password or\nbiometric to activate the key.\xe2\x80\x9d\n\nAccording to the results of the Risk Assessments, ESS and ODCS require Level 3\nMultifactor Authentication. However, NCUA only uses one factor authentication (a user\nname and password) for access to ESS and ODCS. In addition, NCUA only uses one-\nfactor authentication for remote access to its network. NCUA policy does not require\nmultifactor authentication for its network and NIST 800-63 Level 3 and Level 4 systems.\n\nBy implementing OMB and NIST technical security considerations and requirements,\nNCUA will help protect its systems and data from the risk of unauthorized exposure.\nShould a breach of information occur (e.g. Financial Sector Oversight information)\nNCUA\xe2\x80\x9fs reputation could be hurt and it could have a serious adverse effect on\norganizational operations, assets, or individuals.\n\nRecommendation 6: We recommend that NCUA:\n\n1) Require multifactor authentication for remote access to the NCUA network.\n\n2) Require multifactor authentication for access to NCUA Level 3 and Level 4\n   e-Authentication systems.\n\n3) Implement multifactor authentication for remote access to the NCUA network, and\n   for access to the Examiner Support System and the Online Data Collection System.\n\n\nAgency Response: NCUA agrees with the recommendations in principle, but is\nprepared to accept the residual risk in using the systems as they are currently\nimplemented. Over the years, we have spent considerable effort engineering the\ncurrent access methods that address both information security as well as the\nconnectivity needs of our remote work force.\n\n\nOIG Response: The OIG emphasizes that using multi-factor authentication as\ncompared to the current methodology would provide NCUA with optimum protection of\nits systems and data and ultimately its operations. NCUA\xe2\x80\x9fs own \xe2\x80\x9eSecurity Policy and\nProcedures\xe2\x80\x9f document indicates that \xe2\x80\x9eimproved security comes by moving from the user\nID/password environment\xe2\x80\xa6to the smart card/PIN environment\xe2\x80\xa6.\xe2\x80\x9f\n\n\n\n\n                                           12\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n7. NCUA needs to improve its Plans of Action and Milestones process.\n\nFor some Plans of Action and Milestones (POA&M) items, NCUA needs to provide\nsupport that the items marked as \xe2\x80\x9ccompleted\xe2\x80\x9d were actually accomplished.\n\nOMB and FISMA require agency officials to maintain sufficient POA&M evidence.\nAdditionally, OMB and FISMA require agency officials to be involved in agency efforts to\nreview and periodically update remediation efforts to correct outstanding weaknesses.\n\nOMB M-04-25 states that OMB requires agencies to prepare POA&Ms for all programs\nand systems where an IT security weakness has been found. The guidance directs\nCIOs and agency program officials to develop, implement, and manage POA&Ms for all\nprograms and systems they operate and control (e.g., for program officials this includes\nall systems that support their operations and assets). Additionally, program officials\nshall regularly (at least quarterly and at the direction of the CIO) update the agency CIO\non their progress to enable the CIO to monitor agency-wide remediation efforts and\nprovide the agency\xe2\x80\x9fs quarterly update to OMB. M-04-25 also provides instructions on\nhow POA&Ms should be structured and maintained.\n\nAlthough NCUA\xe2\x80\x9fs POA&M process provides supporting documentation for most\nPOA&M items, NCUA does not provide supporting documentation for some POA&M\nitems marked as completed. In addition, NCUA management does not sign-off each\ncompleted POA&M item as part of POA&M oversight.\n\nNCUA officials indicated that some actions to complete POA&M items are not\ndocumentable and that the Information Security Officer visually verifies these items as\nthe responsible party completes them. We have discussed with NCUA officials that\nthey should certify they reviewed or observed the remediation for those POA&M items\nas opposed to just signing them off as \xe2\x80\x9ccompleted.\xe2\x80\x9d In addition, NCUA officials\nindicated that NCUA management is not involved in signing off that items are\ncompleted.\n\nBy appropriately annotating or documenting each completed POA&M item, NCUA\nmanagement can ensure that it is clear to all interested parties that NCUA has\nadequately addressed completed POA&M items. Ultimately, this will help reinforce\nNCUA\xe2\x80\x9fs efforts to protect the confidentiality, availability, and integrity of NCUA data and\nsystems.\n\nRecommendation 7: We recommend that the NCUA:\n\n   1) Obtain and maintain documentation to support all completed Plan of Action and\n      Milestone items.\n\n   2) Require the NCUA Information Security Officer to formally certify the completion\n      of POA&M items that are not documentable, but that are visually observed as\n      completed.\n\n\n\n                                            13\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n\n   3) Require NCUA management to sign-off each completed POA&M item.\n\nAgency Response: NCUA agrees with the recommendations. The position of the\nDeputy Chief Information Officer is currently vacant, but when filled, this person will\nverify that each item is fully completed and documented.\n\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x9fs planned actions.\n\n\n8. NCUA needs to enhance its procedures for ensuring terminated users and\n   inactive user accounts are disabled or removed from NCUA systems.\n\nWe identified active user accounts for terminated employees on some NCUA systems.\n\nThis issue is a repeat finding from the FY 2009 FISMA review.\n\nNIST SP 800-12 indicates that when user accounts are no longer required the\nsupervisor should inform the application manager and system management office so\naccounts can be removed in a timely manner.\n\nIn addition, NIST 800-53, Revision 3, provides the following guidance:\n\n   \xef\x82\xb7   Develop, disseminate, and periodically review/update formal documented\n       procedures to facilitate the implementation of the access control policy and\n       associated access controls.\n\n   \xef\x82\xb7   Manage information system accounts including establishing, activating,\n       modifying, reviewing, disabling, and removing accounts.\n\nWe reviewed NCUA\xe2\x80\x9fs listing of terminated NCUA employees against its list of Active\nDirectory accounts and determined that terminated employees had active user accounts\non NCUA systems as follows:\n\n   \xef\x82\xb7   Six users on the General Support System (GSS)\n   \xef\x82\xb7   Five users on the Online Data Collection System (ODCS)\n   \xef\x82\xb7   One user on the Insurance Information System (IIS)\n\nLast year, NCUA officials informed us they implemented a new process to review and\ndisable inactive Active Directory user accounts on a weekly basis. However, the\nprocess only applied to a review of GSS accounts. In response to our FY 2009 FISMA\nreview, NCUA management agreed with the OIG\xe2\x80\x9fs recommendations, which would\nhave addressed these issues. NCUA management estimated a completion date of\nDecember 31, 2009. However, NCUA management did not formalize/document and\nupdate its process to review and disable inactive user accounts. We believe this has\n\n\n                                            14\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\nresulted in NCUA management not consistently executing the process as evidenced by\nthe user accounts identified above that NCUA should have deactivated.\n\nBy disabling inactive user accounts and removing the access of terminated employees\nin a timely manner, NCUA will prevent existing and former employees from using these\naccounts to obtain unauthorized access to sensitive NCUA data. In addition, NCUA\nshould formally document the user account review process to institutionalize and help\nensure the continuity and consistent execution of the process within NCUA.\n\nRecommendation 8: We recommend that NCUA:\n\n   1) Formally document its process for reviewing and disabling inactive user\n      accounts.\n\n   2) Include in the process of reviewing and disabling inactive user accounts the\n      requirement to review user accounts on network devices and NCUA systems.\n\n   3) Immediately review Active Directory accounts and system user accounts to\n      identify and remove accounts for terminated employees.\n\nAgency Response: NCUA agrees with the recommendations. While it is reasonable\nto expect a handful of people to appear on this list for any given point in time, we will\nautomate the process that generates the list and document any valid exceptions\n\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x9fs planned action.\n\n\n9. NCUA needs to update the Service Level Agreement for its Intrusion Detection\n   System.\n\nNCUA\xe2\x80\x9fs formal Service Level Agreement (SLA) for its Intrusion Detection System (IDS)\ndoes not include requirements for specific security considerations and response times.\n\nThis issue is a repeat finding from the FY 2009 FISMA review.\n\nNIST 800-53, Revision 3, provides the following guidance:\n\n   \xef\x82\xb7   Require providers of external information system services to comply with\n       organizational information security requirements and employ appropriate security\n       controls in accordance with applicable federal laws, Executive Orders, directives,\n       policies, regulations, standards, and guidance.\n\n   \xef\x82\xb7   Define and document government oversight and user roles and responsibilities\n       with regard to external information system services.\n\n\n\n\n                                            15\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n   \xef\x82\xb7   Monitor security control compliance by external service providers.\n\nNCUA has a formal SLA with its IDS provider. However, the SLA does not describe\nspecific security and response time requirements the service provider must meet\nincluding adherence to OMB, FISMA, NIST, and United States Computer Emergency\nReadiness Team (US-CERT) requirements.\n\nIn response to the FY 2009 FISMA report, NCUA management indicated they did not\nformally incorporate specific security considerations and response times in the SLA\nbecause they purchased the service through a grandfathered GSA Schedule\nagreement. In addition, NCUA management indicated they were reviewing their current\nIDS service for possible replacement. NCUA management also indicated that if the\nservice was still in place after the end of the year, they were going to establish an\nupdated SLA with the current vendor. NCUA management gave an estimated\ncompletion date of December 31, 2009.\n\nNCUA officials did not provide a rationale for why they did not update the existing SLA\nwith the current vendor as they indicated. However, NCUA officials indicated they are\nevaluating new IDS devices and are still planning to upgrade to a new IDS service in the\nnear future.\n\nBy establishing specific security considerations and response time requirements in the\nSLA that the service provider must meet, NCUA management can help ensure that it\nwill meet the reporting requirements of OMB, NIST, FISMA, and US-CERT and\nenhance its ability to protect the confidentiality, availability, and integrity of NCUA data\nand systems.\n\nRecommendation 9: We recommend that NCUA:\n\n   1) Update its Service Level Agreement with its Intrusion Detection System service\n      provider to include the necessary security considerations and response time\n      requirements (as mandated by OMB, NIST, FISMA, and US-CERT) if NCUA has\n      not identified a replacement service provider by December 31, 2010.\n\n   2) Include the necessary security considerations and response time requirements in\n      its Service Level Agreement with its new Intrusion Detection System service\n      provider.\n\n\nAgency Response: NCUA agrees with the recommendations. NCUA is in the process\nof terminating the current IDS contract and executing intrusion detection in-house. We\nwill implement procedures governing security parameters and response times to\nadequately secure the system perimeter.\n\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x9fs planned actions.\n\n\n\n                                             16\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n\n\n10. NCUA needs to review its use of Personally Identifiable Information and Social\n    Security Numbers.\n\nNCUA has not performed a review of its holdings of Personally Identifiable Information\n(PII) and Social Security Numbers (SSNs), and, if necessary, reduced its use of PII and\nSSNs.\n\nOMB M-07-16 requires:\n\n   \xef\x82\xb7   Agencies review current holdings and reduce the volume of PII.\n\n   \xef\x82\xb7   Reduce the use of Social Security Numbers and eliminate any unnecessary use,\n       and explore alternatives for a personal identifier for both Federal employees and\n       in Federal programs.\n\nIn addition, OMB Memorandum 07-16 indicates that:\n\n   \xef\x82\xb7   Agency-specific implementation plans and progress updates regarding this\n       review will be incorporated as requirements in agencies\xe2\x80\x9f annual reports under\n       FISMA. Following this initial review, agencies must develop and make public a\n       schedule by which they will periodically update the review of their holdings. This\n       schedule may be part of an agency\xe2\x80\x9fs annual review and any consolidated\n       publication of minor changes of Privacy Act Systems of Records Notices\n       (SORN).\n\n   \xef\x82\xb7   Within 120 days from the date of this memo, agencies must establish a plan in\n       which the agency will eliminate the unnecessary collection and use of Social\n       Security Numbers within eighteen months.\n\nNCUA officials have not conducted an initial review to determine the amount of PII at\nNCUA, and to take steps, if necessary, to reduce the amount of PII and SSNs at NCUA.\n\nBy performing a review to determine the amount of PII and use of SSNs at NCUA, and if\nnecessary, reducing the amount of PII and use of Social Security Numbers, NCUA will\nreduce the risk of exposing its sensitive data to a breach of confidentiality by an\nauthorized or unauthorized entity.\n\nRecommendation 10: We recommend that NCUA:\n\n   1) Review current holdings of Personally Identifiable Information and, if necessary,\n      develop a plan to reduce any unnecessary use of PII and provide progress\n      updates.\n\n\n\n\n                                           17\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n   2) Review and if necessary, create and execute a schedule to eliminate any\n      unnecessary collection and use of Social Security Numbers, and if applicable,\n      explore alternatives for a personal identifier for Federal employees and in\n      Federal programs.\n\nAgency Response: NCUA agrees with the recommendations. Agency staff recently\nreceived training in assessing privacy compliance aimed at inventorying and reducing\nPII and use of SSNs. Staff will develop a plan to obtain a baseline for this information in\nthe coming months including a scan for PII across central data stores. Following\nestablishment of the baseline, staff will work with offices, as necessary, to reduce any\nunnecessary use of PII including SSNs.\n\n\nOIG Response: The OIG concurs with NCUA\xe2\x80\x9fs planned actions.\n\n\n11. NCUA needs to implement continuing education requirements for its\n    information technology employees.\n\nNCUA management has not established specialized training requirements for NCUA\xe2\x80\x9fs\ninformation technology (IT) employees.\n\nThis is a finding from the FY 2007 FISMA evaluation, which was repeated in the FY\n2008 and FY 2009 FISMA evaluation.\n\nNIST SP 800-53, Revision 3, guides that organizations provide system managers,\nsystem and network administrators, and other personnel having access to system-level\nsoftware with adequate technical training to perform their assigned duties. It also\nguides that the organization document and monitor individual information system\nsecurity training activities including basic security awareness training and job specific\ninformation system security training.\n\nAdditionally, the NCUA Agency Wide Information Security Policy indicates that training\noversight includes general awareness training and specific training for people with\nsignificant security responsibilities. The policy requires the CIO to ensure adequate\ntraining is planned for NCUA.\n\nNCUA management\xe2\x80\x9fs response to this finding in the FY 2009 FISMA report was that its\ncurrent policy relies on each manager\xe2\x80\x9fs discretion to determine the security training\nrequired by employees with significant security responsibilities, which is determined\neach year and documented using NCUA\xe2\x80\x9fs Individual Development Plan (IDP) process.\nIn addition, NCUA management indicated that in order to make this process more\nrobust, they would require a meeting of managers at the beginning of each IDP cycle to\nestablish that year\xe2\x80\x9fs security training requirements, which will be documented and\nstored with the security plan. NCUA management gave an estimated completion date\nof October 31, 2009.\n\n\n\n                                            18\n\x0cREPORT # OIG-10-18: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2010\n\n\n\nWe determined that although OCIO officials indicated they were planning to hold a\nmeeting to accomplish security training requirements for IT employees, they have not\nyet established or documented these requirements.\n\nBy defining a training requirement program and requiring IT employees to take security-\nrelated training, NCUA can help ensure its IT employees have the most current\ntechnical knowledge to effectively protect the confidentiality, availability, and integrity of\nits sensitive data and systems.\n\nRecommendation 11: We recommend the NCUA OCIO establish documented\ncontinuing education requirements for IT employees.\n\nAgency Response: NCUA agrees with the recommendation.\n\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                              19\n\x0c"